The latest SOX survey
Protiviti continues to share the results of their various surveys. One of the latest is The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates. It was produced in collaboration with AuditBoard.
I’m not sure I agree with some of the ideas pushed in the report, such as using analytics and other tools to replace manual testing of controls (they usually only test the data, not the existence or operation of controls), the report has some useful and interesting observations.
One area that they simply get wrong is including non-financial disclosures (such as cyber breaches and ESG disclosures) in a discussion of the SOX compliance program. While we need to have controls over all disclosures, that is a different part of the Sarbanes-Oxley Act and not, for example, subject to audit by the external audit firm.
Here are some key points, although I recommend reading the full report:
- Internal audit functions devoted nearly half of their time (47%) to SOX compliance.
- 67% were involved in testing
- 58% helped with updating documentation (why, I don’t know)
- 55% had their project management office report to the CAE
- 74% relied on internal audit for controls testing. (I would have thought it would be 67%.)
- It takes an average of 5.9 hours to test a…
